The engineering team behind Terraform by HashiCorp has introduced several major improvements to HCP Terraform and Terraform Enterprise focused on reducing operational overhead, improving governance, and strengthening infrastructure security across the entire lifecycle.

The latest updates include:

• Billable resource analytics (GA)
• Project-level remote state sharing (GA)
• Module testing for dynamic credentials (GA)
• Project-level notifications (GA)
• Registry tagging (Beta)

Billable Resource Analytics (GA)

Organizations using resource-under-management (RUM) billing previously lacked granular visibility into infrastructure consumption. Cost data was only available at the organization level, making it difficult to determine which projects or workspaces were driving usage and expenses.

HashiCorp has now introduced Billable Resource Analytics, providing detailed breakdowns of managed resources by project and workspace directly within HCP Terraform.

Key Benefits

Improved Cost Visibility

Infrastructure teams can now identify high-consumption workspaces, eliminate unnecessary resources, and better forecast future infrastructure spending.

Data-Driven Infrastructure Decisions

Engineering leadership gains clearer insight into actual resource utilization patterns, enabling better infrastructure planning and budget allocation.

This feature is available for all paid HCP Terraform plans through the existing organization usage page.

Project-Level Remote State Sharing (GA)

Managing terraform_remote_state access at scale has traditionally forced teams into two problematic approaches:

• Share state organization-wide, increasing security exposure
• Maintain manual workspace access lists, creating operational overhead

Large enterprises often resorted to multi-organization architectures simply to maintain isolation boundaries.

HashiCorp now introduces a new option:

“Share with all workspaces in this project”

This enables projects to function as true isolation boundaries for remote state access.

Access becomes dynamic:

• New workspaces automatically inherit access
• Moving workspaces between projects automatically updates permissions
• Shared state scopes follow the workspace lifecycle automatically

Key Benefits

Stronger Security Isolation

Sensitive outputs remain accessible only within the intended project boundary, supporting least-privilege design principles.

Reduced Operational Overhead

Platform teams no longer need to manually maintain large access-control lists for workspace relationships.

Simplified Governance

Organizations can consolidate fragmented multi-org architectures into cleaner project-based models with improved performance and simpler administration.

⚠️ HashiCorp still recommends using the tfe_outputs data source instead of direct remote state access when possible, as it avoids granting full state access.

Project-Level Notifications (GA)

Previously, notification integrations such as Slack, PagerDuty, or email alerts had to be configured individually for every workspace. In large Terraform environments, this frequently led to silent failures where new workspaces lacked monitoring entirely.

The new Project-Level Notifications feature centralizes alerting policies at the project layer.

Once configured:

• All workspaces automatically inherit notification settings
• New workspaces receive monitoring by default
• Moving workspaces between projects automatically updates inherited alerts

Key Benefits

Monitoring by Default

No infrastructure is deployed without baseline observability and alerting coverage.

Reduced Operational Toil

Teams no longer need custom scripts or manual audits to ensure monitoring consistency across environments.

Faster Incident Response

Organizations can standardize routing policies, ensuring production environments automatically notify the correct SRE or operations teams.

Dynamic Credentials Support for Terraform Module Testing (GA)

Terraform deployments already support OIDC-based dynamic credentials, but module testing workflows often still relied on static cloud credentials and manually managed secrets.

HashiCorp has now extended dynamic credentials support to Terraform’s native testing framework. Testing environments can now use temporary OIDC-issued credentials for AWS, Azure, Google Cloud, and HCP Vault integrations.

Key Benefits

Unified Security Model

The same authentication model now applies consistently from terraform test through terraform apply.

Reduced Secret Management

Developers no longer need separate “test-only” credentials or shadow secrets.

Ephemeral Test Credentials

Temporary credentials are generated only for test execution and expire immediately afterward, eliminating lingering credential exposure.

Consistent Governance

Platform teams can now enforce identity-based access policies consistently across both deployment and testing workflows.

Registry Tagging (Beta)

HashiCorp also introduced Registry Tags in public beta, enabling platform teams to tag Terraform modules and providers with metadata such as:

• Environment classification (prod, non-prod)
• Project associations
• Usage guidance

Previously, Terraform registries lacked a built-in mechanism for identifying approved module versions or associating artifacts with specific environments.

Example Workflow

A module version can initially be tagged as:

non-prod

After validation and testing, it can later be promoted with:

prod

This gives downstream consumers a clear indication of approved deployment status.

Key Benefits

Better Security Controls

Approved module versions become easier to identify, reducing accidental deployment of unverified infrastructure code.

Faster Artifact Discovery

Teams can filter registries based on environment or project tags to locate the correct modules quickly.

Improved Governance

Organizations can extend existing project classification models directly into Terraform module and provider management.

Final Thoughts

These updates indicate a continued shift in Terraform’s direction toward:

• Project-centric governance
• Reduced manual operational overhead
• Stronger identity-based security
• Better observability and cost management

For organizations operating Terraform at scale, especially multi-team or multi-environment deployments, these additions significantly reduce the complexity of maintaining secure and governed infrastructure workflows.

Source

• https://www.hashicorp.com/blog/terraform-adds-cost-visibility-project-level-notifications-and-more